feat: migrate initialization to cloud-init with UFW and Docker hardening#8
Conversation
- Replace scripts/init.sh with oci-rm/templates/cloud-init.yaml. - Inject cloud-init content as default value for user_data in variables.tf and schema.yaml. - Configure UFW, Docker, and SSH hardening via cloud-init modules. - Remove Dokploy references and update documentation for Portainer. Co-authored-by: yxtay <5795122+yxtay@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request transitions the repository from a Dokploy-specific setup to a generic, hardened Docker setup on OCI using a new cloud-init configuration. Key changes include replacing iptables with UFW, applying sysctl security hardening, and installing Docker. Feedback highlights a security risk where Docker bypasses UFW rules by default, and suggests maintainability improvements to avoid duplicating the cloud-init configuration across multiple files. Additionally, a minor formatting correction is recommended for a numbered list in the README.
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 4 | 0 | 0 | 0.21s | |
| ✅ ACTION | zizmor | 4 | 0 | 0 | 0 | 1.02s |
| ✅ BASH | bash-exec | 2 | 0 | 0 | 0.01s | |
| ✅ BASH | shellcheck | 2 | 0 | 0 | 0.07s | |
| ✅ BASH | shfmt | 2 | 0 | 0 | 0 | 0.01s |
| ✅ COPYPASTE | jscpd | yes | no | no | 0.72s | |
| ✅ EDITORCONFIG | editorconfig-checker | 29 | 0 | 0 | 0.05s | |
| ✅ JSON | prettier | 1 | 0 | 0 | 0 | 0.31s |
| ✅ JSON | v8r | 1 | 0 | 0 | 2.31s | |
| ✅ MARKDOWN | markdownlint | 3 | 0 | 0 | 0 | 0.53s |
| ✅ MARKDOWN | markdown-table-formatter | 3 | 0 | 0 | 0 | 0.18s |
| ✅ REPOSITORY | checkov | yes | no | no | 27.0s | |
| ✅ REPOSITORY | gitleaks | yes | no | no | 0.46s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.01s | |
| ✅ REPOSITORY | grype | yes | no | no | 55.38s | |
| osv-scanner | yes | 1 | no | 0.12s | ||
| ✅ REPOSITORY | secretlint | yes | no | no | 1.27s | |
| ✅ REPOSITORY | semgrep | yes | no | no | 24.94s | |
| ✅ REPOSITORY | syft | yes | no | no | 1.65s | |
| ✅ REPOSITORY | trivy | yes | no | no | 12.14s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | no | 0.23s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 5.22s | |
| ✅ SPELL | lychee | 15 | 0 | 0 | 1.14s | |
| ✅ TERRAFORM | terraform-fmt | 7 | 0 | 0 | 0 | 0.35s |
| ✅ TERRAFORM | tflint | yes | no | no | 5.58s | |
| ✅ YAML | prettier | 11 | 0 | 0 | 0 | 0.47s |
| ✅ YAML | v8r | 11 | 0 | 0 | 8.32s | |
| ✅ YAML | yamllint | 11 | 0 | 0 | 0.52s |
Detailed Issues
⚠️ REPOSITORY / osv-scanner - 1 error
Scanning dir .
Starting filesystem walk for root: /
End status: 22 dirs visited, 80 inodes visited, 0 Extract calls, 2.483017ms elapsed, 2.483247ms wall time
No package sources found, --help for usage information.
Notices
📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)
See detailed reports in MegaLinter artifacts
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,ACTION_ZIZMOR,BASH_EXEC,BASH_SHELLCHECK,BASH_SHFMT,COPYPASTE_JSCPD,EDITORCONFIG_EDITORCONFIG_CHECKER,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SEMGREP,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,TERRAFORM_TFLINT,TERRAFORM_TERRAFORM_FMT,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R
Show us your support by starring ⭐ the repository
- Replace scripts/init.sh with oci-rm/templates/cloud-init.yaml. - Update compute.tf to use the cloud-init template by default when user_data is empty. - Configure UFW, Docker, and SSH hardening via cloud-init modules. - Remove Dokploy references and update documentation for Portainer. Co-authored-by: yxtay <5795122+yxtay@users.noreply.github.com>
…ardening - Replace scripts/init.sh with oci-rm/templates/cloud-init.yaml. - Use iptables for port management (22, 80, 443, 9443). - Configure unattended-upgrades, SSH hardening, and Docker setup via cloud-init. - Update documentation and cleanup Dokploy references. Co-authored-by: yxtay <5795122+yxtay@users.noreply.github.com>
- Update cloud-init.yaml to remove unused dependencies and kernel packages. - Ensure automatic reboots are enabled for updates. Co-authored-by: yxtay <5795122+yxtay@users.noreply.github.com>
…ardening - Replace scripts/init.sh with oci-rm/templates/cloud-init.yaml. - Use iptables for port management (22, 80, 443, 9443). - Configure unattended-upgrades, SSH hardening, and Docker setup via cloud-init. - Update documentation and cleanup Dokploy/port 3000 references. Co-authored-by: yxtay <5795122+yxtay@users.noreply.github.com>
- Remove sysctl hardening and SSH/root configurations from cloud-init.yaml. - Keep unattended-upgrades with unused package removal and auto-reboot. - Use iptables for port management (22, 80, 443, 9443). - Maintain Docker installation and user group setup. Co-authored-by: yxtay <5795122+yxtay@users.noreply.github.com>
- Configure unattended-upgrades using native keys in the apt module. - Enable auto-reboot and removal of unused dependencies/kernel packages. - Remove manual apt configuration file. Co-authored-by: yxtay <5795122+yxtay@users.noreply.github.com>
Addressing review comments1. Docker bypasses UFW (security-high) — Already addressed in subsequent commits. Switched from UFW to iptables which Docker integrates with natively. 2. Maintainability: Avoid duplicating cloud-init — Already addressed. 3. Remove duplicated cloud-init default in variables.tf — Already done. 4. README numbered list — Fixed in next commit. Additional fix: Invalid cloud-init
|
…grades The `apt: unattended-upgrades:` section is not a valid cloud-init module. Use write_files to configure apt conf files directly. Add power_state reboot and fix README list formatting. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
for more information, see https://pre-commit.ci
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request transitions the OCI instance initialization from a bash script (scripts/init.sh) that installs Dokploy to a YAML-based cloud-init configuration (oci-rm/templates/cloud-init.yaml) that installs Docker and configures basic networking (ports 80, 443, 9443). It also updates the Terraform configuration to use this template as a fallback if no custom user data is provided, and updates the documentation and schema variables accordingly. Feedback points out compatibility issues in the new cloud-init.yaml template when running on Oracle Linux (such as Debian-specific packages, missing curl, and a hardcoded ubuntu user), and suggests a more robust, cross-distribution implementation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Only Ubuntu is used with Docker cloud-init setup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Only Ubuntu supported; hardcode in compute.tf. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request replaces the Dokploy installation bash script with a cloud-init configuration to set up a Docker-ready Ubuntu instance, while simplifying the Terraform configuration by hardcoding the OS to Ubuntu and updating the ingress ports. Feedback highlights a critical issue where the removed var.instance_image_os variable is still referenced in compute.tf. Additionally, it is recommended to change the Markdown indentation size in .editorconfig to 2, explicitly install curl and add retry flags in the cloud-init template, and resolve documentation mismatches in the README regarding unattended upgrades and port 22.
- Fix undeclared var.instance_image_os in postcondition error message - Add curl to packages list for minimal images - Add retry flags to curl for Docker install resilience - Fix README to match actual cloud-init implementation - Revert editorconfig indent_size=0 for markdown Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request transitions the infrastructure setup from Dokploy to a generic Docker-ready Ubuntu environment. It removes Oracle Linux support, hardcodes the operating system to Canonical Ubuntu, and introduces a new cloud-init template (cloud-init.yaml) to automate package updates, iptables configuration, and Docker installation. The Terraform configuration is updated to use this template as a fallback when no custom user data is provided, and the old scripts/init.sh script is removed. Feedback on these changes highlights a critical issue where iptables-persistent is not installed by default, which would cause the firewall rules to fail to persist across reboots. Additionally, it is recommended to download the Docker installation script to the /tmp directory rather than the root directory.
Signed-off-by: YuXuan Tay <5795122+yxtay@users.noreply.github.com>
1 participant
This change migrates the instance initialization from a bash script to a structured
cloud-init.yamltemplate.Key improvements:
scripts/init.shwithoci-rm/templates/cloud-init.yaml.user_datavariable in bothvariables.tfandschema.yaml, allowing users to preview and customize it directly in the OCI Resource Manager console.iptableswithUFW, ensuring port 22, 80, 443 (TCP/UDP), and 9443 (Portainer) are open.unattended-upgradeswith automatic reboots.sysctlhardening for IP spoofing and SYN attack protection.get.docker.comand added system users to thedockergroup.PR created automatically by Jules for task 6435355215220674744 started by @yxtay